tm2: comparison thys/Hoare

equal deleted inserted replaced

-:192672a6fff4
+:dcbf7888a070
 theory Hoare_gen
 imports Main
 "../Separation_Algebra/Sep_Tactics"
 begin
 definition
 pasrt :: "bool \<Rightarrow> 'a::sep_algebra \<Rightarrow> bool" ("<_>" [72] 71)
 where "pasrt b = (\<lambda> s . s = 0 \<and> b)"
 (* separation Hoare tripple *)
 definition
 Hoare_gen :: "('a \<Rightarrow> bool) \<Rightarrow> ('a \<Rightarrow> bool)  \<Rightarrow> ('a \<Rightarrow> bool) \<Rightarrow> bool"  ("(\<lbrace>(1_)\<rbrace>/ (_)/ \<lbrace>(1_)\<rbrace>)" 50)
 where
 "\<lbrace>p\<rbrace> c \<lbrace>q\<rbrace> \<equiv>
-(\<forall>s r. (p \<and>* c \<and>* r) (recse s) \<longrightarrow> (\<exists>k. ((q \<and>* c \<and>* r) (recse (run (Suc k) s)))))"
+\<forall>s r. (p \<and>* c \<and>* r) (recse s) \<longrightarrow> (\<exists>k. (q \<and>* c \<and>* r) (recse (run (Suc k) s)))"
 lemma HoareI [case_names Pre]:
-assumes h: "\<And> r s. (p \<and>* c \<and>* r) (recse s) \<Longrightarrow> (\<exists>k. ((q \<and>* c \<and>* r) (recse (run (Suc k) s))))"
+assumes h: "\<And> r s. (p \<and>* c \<and>* r) (recse s) \<Longrightarrow> \<exists>k. (q \<and>* c \<and>* r) (recse (run (Suc k) s))"
 shows "\<lbrace>p\<rbrace> c \<lbrace>q\<rbrace>"
 using h
 unfolding Hoare_gen_def
 by simp
 unfolding pred_ex_def
 proof(induct rule:HoareI)
 case (Pre r' s')
 then obtain k where "(p \<and>* (\<lambda> s. c k s) \<and>* r') (recse s')"
 by (auto elim!: sep_conjE intro!: sep_conjI)
-from h[unfolded Hoare_gen_def, rule_format, OF this]
+with h[unfolded Hoare_gen_def]
 show "\<exists>k. (q \<and>* (\<lambda>s. \<exists>x. c x s) \<and>* r') (recse (run (Suc k) s'))"
-by (auto elim!: sep_conjE intro!: sep_conjI)
+by (blast elim!: sep_conjE intro!: sep_conjI)
 qed
+(* FIXME: generic section ? *)
 lemma code_extension:
 assumes "\<lbrace>p\<rbrace> c \<lbrace>q\<rbrace>"
 shows "\<lbrace>p\<rbrace> c \<and>* e \<lbrace>q\<rbrace>"
 using assms
 unfolding Hoare_gen_def
 definition
 IHoare :: "('b::sep_algebra \<Rightarrow> 'a \<Rightarrow> bool) \<Rightarrow> ('b \<Rightarrow> bool) \<Rightarrow> ('a \<Rightarrow> bool)  \<Rightarrow> ('b \<Rightarrow> bool) \<Rightarrow> bool"
 ("(1_).(\<lbrace>(1_)\<rbrace>/ (_)/ \<lbrace>(1_)\<rbrace>)" 50)
 where
-"I. \<lbrace>P\<rbrace> c \<lbrace>Q\<rbrace> = (\<forall>s'. \<lbrace> EXS s. <P s> \<and>* <(s ## s')> \<and>* I(s + s')\<rbrace> c
+"I. \<lbrace>P\<rbrace> c \<lbrace>Q\<rbrace> = (\<forall>s'. \<lbrace>EXS s. <P s> \<and>* <(s ## s')> \<and>* I(s + s')\<rbrace> c
-\<lbrace> EXS s. <Q s> \<and>* <(s ## s')> \<and>* I(s + s')\<rbrace>)"
+\<lbrace>EXS s. <Q s> \<and>* <(s ## s')> \<and>* I(s + s')\<rbrace>)"
 lemma IHoareI [case_names IPre]:
 assumes h: "\<And>s' s r cnf .  (<P s> \<and>* <(s ## s')> \<and>* I(s + s') \<and>* c \<and>* r) (recse cnf) \<Longrightarrow>
-(\<exists>k t. (<Q t> \<and>* <(t ## s')>  \<and>* I(t + s') \<and>* c \<and>* r) (recse (run (Suc k) cnf)))"
+\<exists>k t. (<Q t> \<and>* <(t ## s')>  \<and>* I(t + s') \<and>* c \<and>* r) (recse (run (Suc k) cnf))"
 shows "I. \<lbrace>P\<rbrace> c \<lbrace>Q\<rbrace>"
 unfolding IHoare_def
 proof
 fix s'
 show " \<lbrace>EXS s. <P s> \<and>* <(s ## s')> \<and>* I (s + s')\<rbrace>  c
 and h2: "I. \<lbrace>Q\<rbrace> c2 \<lbrace>R\<rbrace>"
 shows "I. \<lbrace>P\<rbrace> c1 \<and>* c2 \<lbrace>R\<rbrace>"
 using h1 h2
 by (smt IHoare_def sep_exec.composition)
+(* FIXME: generic section *)
 lemma pre_condI:
 assumes h: "cond \<Longrightarrow> \<lbrace>p\<rbrace> c \<lbrace>q\<rbrace>"
 shows "\<lbrace><cond> \<and>* p\<rbrace> c \<lbrace>q\<rbrace>"
 proof(induct rule:HoareI)
 case (Pre r s)
 from h[OF this(1), unfolded Hoare_gen_def, rule_format, OF this(2)]
 show ?case .
 qed
 lemma I_pre_condI:
-assumes h: "cond \<Longrightarrow> I.\<lbrace>P\<rbrace> c \<lbrace>Q\<rbrace>"
+assumes h: "cond \<Longrightarrow> I. \<lbrace>P\<rbrace> c \<lbrace>Q\<rbrace>"
-shows "I.\<lbrace><cond> \<and>* P\<rbrace> c \<lbrace>Q\<rbrace>"
+shows "I. \<lbrace><cond> \<and>* P\<rbrace> c \<lbrace>Q\<rbrace>"
 using h
 by (smt IHoareI condD cond_true_eq2 sep.mult_commute)
+(* FIXME: generic section *)
 lemma code_condI:
 assumes h: "b \<Longrightarrow> \<lbrace>p\<rbrace> c \<lbrace>q\<rbrace>"
-shows "\<lbrace>p\<rbrace> <b>**c \<lbrace>q\<rbrace>"
+shows "\<lbrace>p\<rbrace> <b> \<and>* c \<lbrace>q\<rbrace>"
 proof(induct rule: HoareI)
 case (Pre r s)
 hence h1: "b" "(p \<and>* c \<and>* r) (recse s)"
 apply (metis condD sep_conjD sep_conj_assoc)
 by (smt Pre.hyps condD sep_conj_impl)
 by (metis (full_types) cond_true_eq1)
 qed
 lemma I_code_condI:
 assumes h: "b \<Longrightarrow> I. \<lbrace>P\<rbrace> c \<lbrace>Q\<rbrace>"
-shows "I.\<lbrace>P\<rbrace> <b>**c \<lbrace>Q\<rbrace>"
+shows "I. \<lbrace>P\<rbrace> <b> \<and>* c \<lbrace>Q\<rbrace>"
 using h
 by (smt IHoareI condD cond_true_eq2 sep.mult_commute sep_conj_cond1)
+(* FIXME: generic section *)
 lemma precond_exI:
 assumes h:"\<And>x. \<lbrace>p x\<rbrace> c \<lbrace>q\<rbrace>"
 shows "\<lbrace>EXS x. p x\<rbrace> c \<lbrace>q\<rbrace>"
-proof(induct rule:HoareI)
+proof(induct rule: HoareI)
 case (Pre r s)
 then obtain x where "(p x \<and>* c \<and>* r) (recse s)"
 by (unfold pred_ex_def, auto elim!:sep_conjE intro!:sep_conjI)
 from h[of x, unfolded Hoare_gen_def, rule_format, OF this]
 show ?case .
 qed
 lemma I_precond_exI:
 assumes h:"\<And>x. I. \<lbrace>P x\<rbrace> c \<lbrace>Q\<rbrace>"
-shows "I.\<lbrace>EXS x. P x\<rbrace> c \<lbrace>Q\<rbrace>"
+shows "I. \<lbrace>EXS x. P x\<rbrace> c \<lbrace>Q\<rbrace>"
 proof(induct rule:IHoareI)
 case (IPre s' s r cnf)
 then obtain x
 where "((EXS s. <P x s> \<and>* <(s ## s')> \<and>* I (s + s')) \<and>* c \<and>* r) (recse cnf)"
 by ( auto elim!:sep_conjE intro!:sep_conjI simp:pred_ex_def pasrt_def sep_conj_ac)
 by (unfold pred_ex_def, auto elim!:sep_conjE intro!:sep_conjI)
 thus ?case
 by (auto simp:sep_conj_ac)
 qed
+(* FIXME: generic section *)
 lemma hoare_sep_false:
-"\<lbrace>sep_false\<rbrace> c
+"\<lbrace>sep_false\<rbrace> c \<lbrace>q\<rbrace>"
-\<lbrace>q\<rbrace>"
 by(unfold Hoare_gen_def, clarify, simp)
 lemma I_hoare_sep_false:
-"I. \<lbrace>sep_false\<rbrace> c
+"I. \<lbrace>sep_false\<rbrace> c \<lbrace>Q\<rbrace>"
-\<lbrace>Q\<rbrace>"
 by (smt IHoareI condD)
 end
 instantiation set :: (type)sep_algebra
 lemmas set_ins_def = sep_disj_set_def plus_set_def set_zero_def
 instance
 apply(default)
-apply(simp add:set_ins_def)
+apply(auto simp: set_ins_def)
-apply(simp add:sep_disj_set_def plus_set_def set_zero_def)
+done
-apply (metis inf_commute)
-apply(simp add:sep_disj_set_def plus_set_def set_zero_def)
-apply(simp add:sep_disj_set_def plus_set_def set_zero_def)
-apply (metis sup_commute)
-apply(simp add:sep_disj_set_def plus_set_def set_zero_def)
-apply (metis (lifting) Un_assoc)
-apply(simp add:sep_disj_set_def plus_set_def set_zero_def)
-apply (metis (lifting) Int_Un_distrib Un_empty inf_sup_distrib1 sup_eq_bot_iff)
-apply(simp add:sep_disj_set_def plus_set_def set_zero_def)
-by (metis (lifting) Int_Un_distrib Int_Un_distrib2 sup_eq_bot_iff)
 end
 section {* A big operator of infinite separation conjunction *}
 definition "fam_conj I cpt s = (\<exists> p. (s = (\<Union> i \<in> I. p(i))) \<and>

changeset 8	dcbf7888a070
parent 5	6c722e960f2e
child 11	f8b2bf858caf